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ABSTRACT 



A method for authenticatittg an authorized user to multiple 
computer servers within a distributed computing environ- 
ment after a single network sign-on is disclosed. In accor- 
dance with the method and system of the present invention, 
an authentication broker is provided witiiin the distributed 
computing networic The authentication broker first receives 
an authentication request from a workstation. After a deter- 
mination that the authentication request is valid, the authen- 
tication broker then issues a Kerberos Hcket GrantingTick^ 
to the woikstation. At this point, if there is a request by the 
w<»rkstation for accessing a Kerberos Hcket-based server 
widiin the distributed computing network, tiie autiientication 
tH^okcr will issue a Kerberos Servrioe Ticket to the worksta- 
tion. Similarly, if thoe is a request by the workstation for 
accessing a passtickct-based server within tiie distributed 
computing network, the authentication broker will issue a 
passticket to Ae workstation. Finally, if there is a request by 
the woikstation for accessing a password-based server 
within the distributed computing network, the authentication 
broker will issue a password to the workstation. By this, 
accesses to all of the above servers within the distributed 
computing network can be granted via a single network 
authentication request 

15 Clahns, 6 Drawhig Sheets 
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METHOD AND SYSTEM FOR mainframe fHoduct for a MVS/VM processing environment 

AUTHENTICATING USERS TO MULTIPLE TPX provides automated sign-on to ail MVS sessions within 

COMPUTER SERVERS VIA A SINGLE SIGN- a distributed computing environment after an initial authen- 

ON tication to the host computer system. However, TPX also 

5 only produces an homogeneous sdution, aside from the fact 

The present invention was developed with the support of ^ it is still relatively cjtpcnsive to implement 

S: Si riSSiS^in^ s^vSSr • Cons«,«e»ay, tt would be desi^ble to^dc . „^od 

mc vjvvcimucui ii« u^uuu xu hit system fw authcnticatmg an authorized user to all 

BACKGROUND OF THE INVENTION con^niter servers within a distributed confuting environ- 

1 Technical Field ^ available to the authorized us& aftei a single 

nie present invention relates to a method and system for ^^^^ ^^^^"^ ^^1*^ sacrificing network security. 

data processing in gencial and, in particular, to ametbod and SUMMARY OF THE INVENTION 

system for processing sign-on requests within a distributed 

computer n^ork. Still more particularly, the present inven- In view of the forcgQing, it is therefore an object of the 

lion relates to a method and system for authenticating an present invention to provide an in^iroved method and sys- 

authorized user with respect to multq)le computer servers tem for data processing. 

within a distributed computing environment after a single it is another object of the present invention to provide an 

network sign-on. iiiq>roved method and system for processing sign-on 

2. DescrQ>tion of the Prior Art ^^"^^ within a distributed con^ter network. 

In a multiuser computer system, identification and authen- it is yet ano&cr object of the present invention to provide 

tication mechanlsnos are essential for identifying and authen- an inqm>ved method and system for authenticating an autho- 

ticating each individual who requests any usage of system rized user to multiple computer s^ers within a distributed 

resources. The most common implementation of such confuting environment afrer a single network sign-on. 

mechanisms is a user identification (ID) along with a pass^ ^5 In accordance with the method and system of the present 

word. Thus, each multiuser conqmter system contains, as a invention, an authentication broker is provided within the 

minimum, a unique sign-on ID for each registered user to the distributed conpiting network. The authentication broker 

system. This allows accountability of system usage down ^ receives an auAentication request from a workstation, 

to an individual. ^ d^crmination that the authentication request is valid. 

However, when such user identification and audientica- 30 the autiientication broker then issues a Keri)eros Hcket 

tion imi^ementation methodology is extrapolated to m<^ Grantittg Ticket to the workstation. At diis point, if there is 

than one computer system within a distributed conqwting ^ request from the workstation for accessing a Kerberos 

environment a user must repeatedly provide a user ID along Ticket-based server within the distributed computing 

widi an a{^Hx>priatepassw(ml in order to gain access to each netwcsk, the authentication broker will issue a Kerberos 

con^Miter system. For a user who wi^es to gain access to 35 Service Ticket to the workstation. Similariy, if there is a 

several services, each provided by a different coiiqHiter request from the w<^tation for accessing a passticket- 

system, within a single session, this repetitious sign-on t>ased server within the distributed con^ting networi^ the 

procedure tends to be very tedious if not annoying. authentication broker will issue a passticket to the worksta- 

Espedally, in most cases, the user ID and passw<Hd to each (Joq, noally, if there is a request from the workstation for 

computer system within the dtstrilnited computing environ- 40 accessing a password-based server within the distrilxited 

ment are so distinctive that It is very inconvenient for the confuting network, the authentication tnx^ker will issue a 

user to remember several unique user IDs and passwords. password to the workstation. By ttiis, accesses to aU of the 

Further, in order to sign-cm remotely, the user ID and above servers within the distributed ooir^uting network can 

password must be transmitted to a remote computer system. granted via a single network authentication request 

Without a secure path between the user's computer system « ^ objects, features, and advantages of the present inven- 

and the remote computer system, anyone who has access to ^^^^ ^ ^^^^^ amarent in the foUowing detailed written 

the distributed computing environment could use a netwc^ descriptioa. 
analyzer to discover the user ID and password of the user. As 

such, the effectiveness of the sign-on pocedure as a means BRIEF DESCRIPTION OF THE DRAWINGS 

of security ineasurenuiy be undernun^^ 50 i^ention itself, as weU as a preferred mode of use, 

One sohition for smgle sign^n and authentj^tion in a ^^^^ advantages thereof, will best be under- 

^^ted computing cnvffonmenl is ki>owD asjerb«^ stood by reference to thefoUowing detaOed description of an 

feberos IS an authentica^n piotoadj^^^^ ^ of ^^^^^ embodiment when read in conjunction with the 

PT^j^thena at Massachusetts Institute of Technology. ^ drawings, wherein: 

Kerberos provides an excellent platform for single sign-on 55 ~7 , ' . , * *: * ^ -^-u 

and authentication in an opin network enWronient ^Jf Tf^T'^^^^ 

Unfortunately, Kerberos supj^ is not transparent and °^<^^ ^ ^ 1.^?^ embodmient of the 

requires various custom modifications to the appUcations as P^^*^* ^ "^^^ 

weU as the system utiUties by a way often referred to as FIG- ^^^^ illustration of various types of authentication 

-Kerberizing." As (he popularity of Koboos grows in 60 schemes by which a computer server can be utilized within 

recent years, many (^xrating systems and application ven- distributed computing network of FIG. 1; 

dors arc bc^nning to provide support for Kerberos, but this FIO. 3a is a high-level flow diagram of the authentication 

support is far from universal For this reason, it is not protocol for Kerberos Ticket-based servers, according to a 

possible to solely rely upon Kerberos as the only means for prcfcned embodiment <rf the invention; 

single sign-on in a distributed computing envirorunent 65 RG. 3bis& high-level flow diagram of die authentication 

Other solutions include a sign-on product known as protocol for passticket-based servers, according to a pre- 

*TPX" by Legion Tfechnologies Corporation. TPX is a fened cmbodimoit of the invention; 
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FIG. 3c is a high-levd flow diagram of the authenticatioo 
protocol for |>assword*based servas, accofdiog to a pre- 
fared embodiment of the inventioD; and 

FIG. 4 is a hig^-level logic flow diagram of a method for 
authenticating sign-on requests to multiple computer 
servers, in accordance wifl) a preferred embodiment of the 
invention. 

DETAILED DESCRIPnON OF BIEFERRED 
ENfEODIMENT 

The present invention may be applicaUe to a variety of 
distributed counting networks, such as a local-area net- 
work (LAN) or a wide-area network (WAN), under a num- 
ber of different operating systems. The con^Hiters within the 
distributed oonqwtiag networks may be personal con^mters, 
mini-computers, or mflmframfi computers. 

Referring now to the drawings and in particular to FIG. 1, 
there is depicted a pictorial representation of a distributed 
computing network 100 in which a preferred embodiment of 
the present invention may be utilized As shown in FIG. 1, 
distributed computing network 100 may include a plurality 
of local networks, such as LANs 10 and 20, each of which 
preferably includes a plurality of co3iq>uters 12 and 22, 
respectively. Of course, those skilled in the art wOl appre- 
ciate that a plurality of Intelligent Workstations coiipled to a 
host processor may also be utilized fcHT each of LANs 10 and 
20. Each of computers 12, 22 may be coupled to a storage 
device 14 and/or an output device 16. CHie or more of storage 
devices 14 may be utilized to sUoe various types of infor- 
mation within distributed coioputing network 100. 

Still referring to FIG. 1, distributed coo^fxiting networic 
100 may also include several mainframe conqiuters, sudi as 
mainframe computer 18 and mainframe computer 26. As 
shown, mainframe computer 18 is coiq>led to LAN 10 by 
means communications link 17. Mainframe computer 18 
is also coupled to a storage device 15 whkh may serve as a 
remote stwage fOT LAN 10. LAN 20 is couidcd to LAN 10 
via gateway server 28, communications links 24, 34, and 
mainframe conqnitcT 26 which scrvcs as a communications 
controUcL Gateway server 28 may be a conqxiter or an 
Intelligent Workstation. Mainframe compter 18 nay be 
situated in a locati(»i that is very far from LAN 10. Similarly, 
LAN 10 may be situated in a location that is also very far 
from LAN 20. For exanq^le, LAN 20 may be located in 
Calif OTnia, while LAN 10 may be located in Texas, and 
mainframe computer 18 may be located in New York. 

With reference now to FIG. 2, ttiere is tUustrated various 
types of authentication schemes which a conqmter server 
can utilize within distributed computing network 100 of 
FIG. 1. As shown, a passwonl-based server 36, a passticket- 
based server 37, and a Kcrberos ticket-based server 38 arc 
connected to a network communication link 7. In addition, 
a workstation 35 and an authentication server 39 are also 
connected to network communication link 7. 

For the purpose of illustrating the present invention, the 
disclosed method is intended to allow a user to gain access 
to a password-t>ased server 36, a passticket-based server 37, 
and a Kfaberos ticket-based server 38 within the distributed 
con^Hiting network by simply utilizing a single sign-on at 
workstation 35. However, it is understood by diose skilled in 
the art that the disclosed method is also ap^^cablt to a 
multiple of any or all of the abovo-mcntioned servers. First, 
the user enters a user ID along with an ^^^rcqiriatepasswmd 
at wcxkstation 35. Conuimnicatl<m betwera w<vkstation 35 
and authentication server 39 is then established. The authen- 
tication of the user ID and passwc^ is subsequently 
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attempted by an authentication broker 34, and if correct, the 
authentication is achieved. This permits an open session to 
occur such that the user may utilize all services provided by 
Kerberos Ticket-based server 38. At a later time, if the user 

5 desires to utilize the services offered by passticket-based 
server 37 and/or password-based server 36, the subsequent 
sign-on information is automatically provided by authenti- 
cation broker 34 fat authenticarion server 39. Accordingly, 
access to passticket-based server 37 and password-based 
server 36 is obtained without the additional input of a user 
ID and password for these servers. 

Referring now to FIG. 3a, there is depicted a high-level 
flow diagram of die authentication protocol for Koberos 
llcket-based servers, according to a preferred embodiment 

J J of the invention. Initially, a user signs on with a user ID and 
an associated password at workstation 35. An authentication 
request is sent to authentication broker 34 with the user ID 
and the password. If the user is an authorized user, authen- 
tication broker 34 then sends a Kert>eros Ticket Granting 
Ticket (KVGV) back to requesting wcHkstation 35. At this 
point, if wodcstation 15 would desire services from a Ker- 
beros Ticket-based server 38, workstation 35 has to send the 
KTGT to authentication broker 34 to exchange for a Ker- 
beros Senrioe Ticket (KST) in coder to gain access to 

25 Kerberos Hcket-based server 38. If there are more Kerberos 
Tick^-based servers in the distributed computing network 
that the user at W(»kstation 35 would like to access during 
a same session, tiie same KTGT will be sent to authentica- 
tion broker 34 in order to exchange for anodier KST to gain 

3Q access to these Kerberos Tkket-based servers. Each Ker- 
beros Hcket-based server requires a new and separate KST 
fcr access. 

Refoiing ik}w to FIG. 36, there is depicted a high-level 
flow diagram of the authentication protocol far passtickct- 

3j based servers, according to a preferred embodiment of the 
invention. If workstation 35 would desire a service from a 
passticket-based server 37, workstation 35 has to send the 
KTGT to authentication broker 34 to exchange fcs another 
KST. In turn, this KST is sent back to authentication broker 

40 34 to exchange for a passticket in order to gain access to 
passtidcBt-based server 37. Similarly, if thoe arc more 
passticket-based servers in &e distributed coasting net- 
work that w<»kstation 35 would like to access during the 
same session, tiie same ICTGI will be sent to authentication 

43 broto 34 in order to exchange for another KST and pas- 
sticket to gain access to these passticket-based servers. Each 
passticket-based server requires a separate passticket for 
access. 

Rcfening now to FIG. 3c, thoe is dqiicted a high-levd 
so flow diagram of the au&entication protocol for passwcaxl- 
based servers, according to a preferred embodiment of dte 
invention. If w<vkstation 35 would desire a service from a 
password-based server 36, workstation 35 has to send the 
iCrGT to authentication broker 34 to exchange for another 
35 KST. In turn, this KST is sent back to authentication teokcr 
34 to exdunge a password in order to gain access to 
password-based server 36. Similarly, if there are more 
password-based servers in the distributed confuting net- 
work that workstation 35 would like to access during the 
60 same session, the same KTCrT will be sent to authentication 
broker 34 in order to exchange for another KST and pass- 
word to gain access to these password-based servers. Each 
passwcnd-based server requires a sq>arate password for 
access. 

63 Referring now to FIG. 4, there is illustrated a high-level 
logic flow diagram of a method for authenticating sign-on 
requests to multq>le computer servers, in accordance with a 
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pref entd embodiment of the invention. Starting at block 40, 
a user ID and a passw<Hd are collected from a user at the 
workstation. The user ID along with the passwonl are then 
sent to the authentication faroker« as shown in block 41. The 
user n> and the passwcvd infoimatioD are accepted by the 
authentication broker to authenticating &e validity of the 
user, as illustrated in block 42. A determination is then made 
as to whether or not the user is an authorized uscx, as 
depicted in block 43. the user is not an authorized uso-, the 
process is aboited, as shown in block 99. Otherwise, if the 
user is an authorized user, a Kccberos Ticket Granting Ticket 
(KTCTT) is obtained from the au&entication server by the 
authentication tsoker, as shown in block 44. The Kerberos 
Ticket Granting Ticket is then returned from the authenti- 
cation tHokcr to the requesting workstation, as dqiicted in 
block 45. In turn, this Kerberos Ticket Granting Ticket is 
subsequently sent back to the authentication broker each 
time a new server is requested by the user at the w<Micstation 
during the same session, as illustrated in block 46. After 
receiving the Kerberos Ticket Granting Hcket, this time the 
authentication broker responds by sending a Kerberos Ser- 
vice Hcket (KST) back to the requesting workstation, as 
shown in blocks 47 and 48. This KST is valid for gaining 
access to a Kerberos Ticket-based server. 

A determinatioa is made at the workstation as to whether 
or not a password and/or passticket are also needed, as 
shown in block 49. If neither a password nor a passticket is 
required, the fvocess goes to block 56. Otherwise, if d&cr 
a password or a passticket is required (or both a password 
and a passticket are required), the Kerberos Service Hcket 
is sent to the authentication broker once again, as illustrated 
in block 50. After receiving the Kerberos Service Ticket, a 
determination is subsequently made within the authentica- 
tion broker as to whether a password or a passticket is 
needed, as shown in blocks 51 and 52. If a passticket is 
needed, the passticket is oon^Hited witiiin the authentication 
broker, as shown in block 54. On the contrary, if a password 
is needed, a table lookup is performed by the authentication 
brewer in a database containing all the passwords, as shown 
in block 53. The computed passticket and/or obtained pass- 
word are then returned back to the requesting woricstation, 
as shown in block 55. At this point, the requesting wcvk- 
station can access a server within the distributed conqxiting 
netwcHk utilizing a Kerberos Service Ticket, a passticket or 
a password, as appropriate. 

As has been described, the present invention provides an 
improved method and system for authenticating an autho- 
rized user to multiple con^uter servers within a distributed 
conq>uting network that are available to the authcvized user 
after a single network sign-on. The method and system of the 
present invention are intended for accessing con9>uter serv- 
ers that utilize passwords, passtick^s, or Kerboos Hckets. 
Hie present invention provides the capability to e]q}loit the 
Kerberos authentication schone within a distributed com- 
puting environment where not all ^Tplications and computer 
servers understand (he Kerberos protocols. 

While the invention has been particularly shown and 
described with reference to a preferred embodiment, it will 
be understood by those skilled in the art that various changes 
in form and dOail may t>e made therein without departing 
from the spirit and scope of the invention. 

What is claimed is: 

1. A naethod for authenticating a user with re^>ect to 
multiple computer servers within a distributed conqMiting 
netwoilL said method comprising: 

|ax>viding an authentication broker within said distributed 
computing network; 
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receiving an authentication request from a workstation at 
said authentication broker; 

issuing a Kerberos Ticket Granting Ticket to said work- 
station from said authentication fsoka after a determi- 
nation that said authentication request is valid; 

issuing a Kerberos Service Ticket to said w(Hkstation 
from said authentication broker in response to an access 
request from said workstation to a Kerberos Hcket- 
based server wittiin said distributed computing net- 
work; 

issuing a passticket to said woricstation from said authen- 
tication broker in response to an access request from 
said workstation to a passticket-based server within 
said distributed computing network; 

issuing a password to said workstation from said authen- 
tication broker in response to an access request from 
said workstation to a password-based server within said 
distributed a»i:puting network, such that accesses to all 
said servers are granted via a single netw(Hk authenti- 
cation request 

2. The method for authenticating a user to multiple 
computer servers within a distributed ccnnputing n^ork 
according to claim 1, wherein said step (tf receiving an 
audientication request further includes a step of receiving a 
user identification and an associated passwOTd. 

3. The method for authenticating a user to multiple 
computer servers within a distributed ccxr^uting n^ork 
according to daim 1, \(^icrein said step of issuing a Kertieros 
Service Hcket furuer includes a step of exchanging said 
Kerberos Ticket Granting Ticket for said Kerberos Service 
Hcket 

4. The method for authenticating a user to multiple 
conqxiter servers within a distributed computing network 
according to daim 1, ii^Kiein said step of issuing a pas- 
sticket further includes a step of exchanging said Kerberos 
Ticket Granting Ticket for a second Kcrt>eros Service Ticket 
and a step of exdianging said second Kerberos Service 
Hcket for said passticket. 

5. The method for authenticating a user to multiple 
conqxiter servers within a distributed c(Hiq>uting network 
according to daim 1, wherein said step of issuing a pass- 
word fartha includes a step ci exchanging said Kerberos 
Hcket Granting Ticket for a third Kraberos Service Ticket 
and a stq;> of exdmnging said third Kerberos Service Ticket 
fox said password 

6. A computer [sogram product stored on a conqniter 
readable medium for authenticating a user with respect to 
multiple computer servers within a distrilwted computing 
netwodL said computer product ccHnprising: 

program code means for receiving an authentication 
request from a workstation at said authentication bro- 
ker, 

program code means for issuing a Kerberos Hcket Grant- 
ing Ticket to said workstation from said authentication 
broker after a determination that said authentication 
request is valid; 

program code means for issuing a IGcrt)eros Service 
Ticket to said wcnlcstation from said authentication 
broker in response to an access request from said 
workstotion to a Kerberos Ticket-based server within 
said distributed computing network; 

program code means for issuing a passticket to said 
workstation from said authentication broker in 
response to an access request from said workstation to 
a passticket-based server within said distributed com- 
puting netwoilc; 
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program code means for issuing a password to said means for issuing a Kobcros Service Itcket to said 

workstation ft-om said authentication broker in workstation in response to an access request from said 

response to an access request from said workstation to woriLstation to a Kerberos Ticket-based server within 

a passw(vd-based server within said distributed com- said distributed computing n^crk; 

puting nrtwork, such that acasses to all said servers 5 ^ ^ ^ wotkstetion in 

ffl^gnmledAoaasmglcnetw^k aufl^^^ response to rLcesVn^jucst from sdd worksu^ 

7. The computer program produrt for «itib«bci^ a J^sticket-bascd served within said distributed corn- 
user to multg)lc counter servers widiin a distributed com- * ta;^- ui^u*"*™ 
puting network acc<mUng to daim 6, wherein said program putmg nctwoflc; 

code means for receiving an authentication request further lO means for issuing a password to said workstaticm in 

includes a program code means for receiving a user identi- response to an access request from said workstation to 

fication and an associated passwoid. a password-based server within said distributed oom- 

8. The coiiq)utcr program product for authenticating a puting network, such that accesses to all said servers 
user to multiple conq>uter servers within a distributed com- are granted via a single network authentication request 
puting network according to daim 6, wherein said program is 12. The authentication broker for authenticating a user to 
code means for issuing a Kerberos Service Hdcet further nmltq)ie computer servers within a distribtited conqyuting 
indudes a program code means for exdianging said Ker- network according to claim 11, wherein said means for 
beros Ticket Granting Ticket for said Kerberos Service receiving an authentication request fur&er includes a means 
'Hcket. fog iccdving a user identification and an associated pass- 

9. The computer program product for authenticating a 20 ^roxd. 

user to multq>le con^utcr servers within a distributed com- ^3 authentication broker for authenticating a user to 

puting network according to daim e.wh ^^^^^ computer servers within a distributed computing 

code mca^ for issumg a passtidcet fi;^«J^<=^^^ oetwik acccrding to daim 11, whcmn said means for 

^^t^' ^""^^^ ll^St^ « issuing a Kab«os Service Ticket further indudes a means 

Grantmg Ticket for a second Kerberos ScrviceTlcto and a 23 f^^^^ng said Kcrt«rosTld«t Granting Ticket fcr said 

p^c^^forexd^ K^^^^^^ 

mJht com^t^^'prS^Foduct for authenticating a 14. Tbe authentication broker for authenticating a user to 

us€X to multmleconmutcr servers within a distributed com- «aultq)lc computer servos within a distnbutcd compistmg 

puting n^crk according to daim 6, ^oein said iHogram 30 network according to daim 11, whcxdn said means for 

code means for issuing a passwcrd further indudes a pro- issuing a passticfcct furAer indudes a means for exchanging 

gram code means for exchanging said Kerberos Ticket said Kerberos Ticket Granting Ticket for a second Kobcros 

Granting Ticket for a third Kobcros Service Ticket and a Service Ticket and a means fw cxdianging said second 

program code means for exchanging said third Kerberos Kerberos Service Ticket for said passticket 

Service Ticket for said password. 35 15. The authentication broko for authenticating a user to 

11. An authentication broker for authenticating a user to multqyle conqyuto servers within a distributed computing 

multiple computer servers within a distributed computing network according to claim 11, ^crdn said means for 

network, said authentication tirokcr comprising: issuing a password furtho includes a means f<x exchanging 

means fv receiving an authentication request fr<Hn a said Kerboos Ticket Granting Ticket for a third Kerberos 

workstation; ^ Service Ticket and a means for exchanging said third 

means for issuing a Kobcros Ticket Granting Ticket to Kerboos Service Ticket for said password, 
said workstation after a determination that said authen- 
tication request is valid; ♦ ♦ ♦ * • 
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